CVE-2025-55001

CVSS v2.0

7.7

High

Vector

AV:N/AC:L/Au:M/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions OpenBao versions 2.3.1 and below

Description OpenBao allows the assignment of policies and MFA attribution based on entity aliases. When the username as alias=true parameter in the LDAP auth method is used, the supplied username is used without normalization, potentially allowing an attacker to bypass alias-specific MFA requirements.

Recommendations OpenBao versions prior to 2.3.2: Remove all usage of the username as alias=true parameter and update any entity aliases accordingly.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-156

Related Identifiers

BDU:2025-11279

CVE-2025-55001

GHSA-2Q8Q-8FGW-9P6P

GO-2025-3859

OPENSUSE-SU-2025:15434-1

SUSE-SU-2025:02912-1

Affected Products

Openbao

Red Os

CVE-2025-55001

Weakness Enumeration

Related Identifiers

Affected Products

References · 50